Connection refused = no mail delivered locally with lmtp

[denisb]

I am currently betatesting a Zimbra setup for our company and have things setup like this :

Zimbra is prefered MX in DNS but has port 25 blocked for everyone else except the zimbraserver and my office IP.
I have setup all the existing users as forward users with the zimbraMailTransport setting as detailed in the Split Domain Wiki document. For what it's worth this part of the setup works fine.

As a test before starting the proper migration (with opening SMTP port on the Zimbra server and letting it be the master in the setup) I altered my own account (denis@mydomain.com) setting zimbraMailTransport = lmtp:zimbraserver.mydomain.com

I then sent a few test messages to myself via the zimbraserver SMTP, but these consistently fail delivery with the ominus "connection refused zimbraserver.mydomain.com" message.

I have opened all the ports the server is listening to like this:

Code:

ACCEPT     tcp  --  zimbraserver.mydomain.com    anywhere            state NEW tcp dpt:smtp
ACCEPT     tcp  --  zimbraserver.mydomain.com    anywhere            state NEW tcp dpt:7025
ACCEPT     tcp  --  zimbraserver.mydomain.com    anywhere            state NEW tcp dpt:ldap
ACCEPT     tcp  --  zimbraserver.mydomain.com    anywhere            state NEW tcp dpt:10024
ACCEPT     tcp  --  zimbraserver.mydomain.com    anywhere            state NEW tcp dpt:10025
ACCEPT     tcp  --  zimbraserver.mydomain.com    anywhere            state NEW tcp dpt:7306
ACCEPT     tcp  --  zimbraserver.mydomain.com    anywhere            state NEW tcp dpt:7307
ACCEPT     tcp  --  zimbraserver.mydomain.com    anywhere            state NEW tcp dpt:3310
ACCEPT     tcp  --  zimbraserver.mydomain.com    anywhere            state NEW tcp dpt:7780
ACCEPT     tcp  --  zimbraserver.mydomain.com    anywhere            state NEW tcp dpt:8005
ACCEPT     tcp  --  localhost.localdomain  anywhere            state NEW tcp dpt:smtp
ACCEPT     tcp  --  localhost.localdomain  anywhere            state NEW tcp dpt:7025
ACCEPT     tcp  --  localhost.localdomain  anywhere            state NEW tcp dpt:ldap
ACCEPT     tcp  --  localhost.localdomain  anywhere            state NEW tcp dpt:10024
ACCEPT     tcp  --  localhost.localdomain  anywhere            state NEW tcp dpt:10025
ACCEPT     tcp  --  localhost.localdomain  anywhere            state NEW tcp dpt:7306
ACCEPT     tcp  --  localhost.localdomain  anywhere            state NEW tcp dpt:7307
ACCEPT     tcp  --  localhost.localdomain  anywhere            state NEW tcp dpt:3310
ACCEPT     tcp  --  localhost.localdomain  anywhere            state NEW tcp dpt:7780
ACCEPT     tcp  --  localhost.localdomain  anywhere            state NEW tcp dpt:8005
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:7071
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ldaps
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:smtp
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:imap
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:imaps
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:imaps
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:99

I checked connecting with telnet to both port 25, 10025 and 7025 from the server and this works fine.

I then tailed the /var/log/zimbra.log and I find this when requeuing the messages :

Code:

Apr 28 11:36:09 ms1 postfix/postsuper[5988]: Requeued: 2 messages
Apr 28 11:36:09 ms1 postfix/postfix-script: warning: not owned by root: /opt/zimbra/postfix-2.2.9/conf/main.cf
Apr 28 11:36:09 ms1 postfix/postfix-script: starting the Postfix mail system
Apr 28 11:36:09 ms1 postfix/master[6038]: daemon started -- version 2.2.9, configuration /opt/zimbra/postfix-2.2.9/conf
Apr 28 11:36:09 ms1 postfix/pickup[6046]: 6EFEA4C881: uid=502 from=<Administrator@oter.intra> orig_id=689E74C883
Apr 28 11:36:09 ms1 postfix/cleanup[6050]: 6EFEA4C881: message-id=<000001c66a78$4457eab0$0500000a@intra>
Apr 28 11:36:09 ms1 postfix/qmgr[6047]: 6EFEA4C881: from=<Administrator@oter.intra>, size=61826, nrcpt=1 (queue active)
Apr 28 11:36:09 ms1 postfix/pickup[6046]: 744824C882: uid=502 from=<denis@mydomain.com> orig_id=046124C886
Apr 28 11:36:09 ms1 postfix/cleanup[6050]: 744824C882: message-id=<4450AC33.7040403@mydomain.com>
Apr 28 11:36:09 ms1 amavis[3747]: (03747-01) ESMTP::10024 /opt/zimbra/amavisd/tmp/amavis-20060428T113609-03747: <Administrator@oter.intra> -> <denis@mydomain.com> Received: SIZE=61826 from zimbraserver.mydomain.com ([127.0.0.1]) by localhost (zimbraserver.mydomain.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 03747-01 for <denis@mydomain.com>; Fri, 28 Apr 2006 11:36:09 +0200 (CEST)
Apr 28 11:36:09 ms1 postfix/qmgr[6047]: 744824C882: from=<denis@mydomain.com>, size=213996, nrcpt=1 (queue active)
Apr 28 11:36:09 ms1 zimbramon[2865]: 2865:info: Starting snmp
Apr 28 11:36:09 ms1 amavis[3748]: (03748-01) ESMTP::10024 /opt/zimbra/amavisd/tmp/amavis-20060428T113609-03748: <denis@mydomain.com> -> <denis@mydomain.com> Received: SIZE=213996 from zimbraserver.mydomain.com ([127.0.0.1]) by localhost (zimbraserver.mydomain.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 03748-01 for <denis@mydomain.com>; Fri, 28 Apr 2006 11:36:09 +0200 (CEST)
Apr 28 11:36:09 ms1 amavis[3747]: (03747-01) Checking: WMTyU+PB-tpe [127.0.0.1] <Administrator@oter.intra> -> <denis@mydomain.com>
Apr 28 11:36:09 ms1 zimbramon[2865]: 2865:info: Starting spell
Apr 28 11:36:09 ms1 amavis[3748]: (03748-01) Checking: UV-f93YUnLVr [127.0.0.1] <denis@mydomain.com> -> <denis@mydomain.com>
Apr 28 11:36:09 ms1 amavis[3748]: (03748-01) spam_scan: not wasting time on SA, message longer than 65536 bytes: 4920+206025
Apr 28 11:36:09 ms1 postfix/smtpd[6123]: initializing the server-side TLS engine
Apr 28 11:36:09 ms1 postfix/smtpd[6123]: connect from localhost.localdomain[127.0.0.1]
Apr 28 11:36:09 ms1 postfix/smtpd[6123]: D888C4C883: client=localhost.localdomain[127.0.0.1]
Apr 28 11:36:09 ms1 postfix/cleanup[6066]: D888C4C883: message-id=<4450AC33.7040403@mydomain.com>
Apr 28 11:36:09 ms1 postfix/qmgr[6047]: D888C4C883: from=<denis@mydomain.com>, size=214432, nrcpt=1 (queue active)
Apr 28 11:36:09 ms1 postfix/smtpd[6123]: disconnect from localhost.localdomain[127.0.0.1]
Apr 28 11:36:09 ms1 amavis[3748]: (03748-01) FWD via SMTP: <denis@mydomain.com> -> <denis@mydomain.com>, 250 2.6.0 Ok, id=03748-01, from MTA([127.0.0.1]:10025): 250 Ok: queued as D888C4C883
Apr 28 11:36:09 ms1 amavis[3748]: (03748-01) Passed CLEAN, LOCAL [127.0.0.1] [195.159.43.66] <denis@mydomain.com> -> <denis@mydomain.com>, Message-ID: <4450AC33.7040403@mydomain.com>, mail_id: UV-f93YUnLVr, Hits: -, 397 ms
Apr 28 11:36:09 ms1 postfix/smtp[6086]: 744824C882: to=<denis@mydomain.com>, relay=127.0.0.1[127.0.0.1], delay=-736, status=sent (250 2.6.0 Ok, id=03748-01, from MTA([127.0.0.1]:10025): 250 Ok: queued as D888C4C883)
Apr 28 11:36:09 ms1 postfix/qmgr[6047]: 744824C882: removed
Apr 28 11:36:09 ms1 amavis[3748]: (03748-01) extra modules loaded: Net/LDAP/Bind.pm
Apr 28 11:36:09 ms1 postfix/lmtp[6129]: D888C4C883: to=<denis@mydomain.com>, relay=none, delay=0, status=deferred (connect to zimbraserver.mydomain.com[192.168.192.168]: Connection refused)
Apr 28 11:36:10 ms1 postfix/smtpd[6123]: connect from localhost.localdomain[127.0.0.1]
Apr 28 11:36:10 ms1 postfix/smtpd[6123]: B0E8E4C882: client=localhost.localdomain[127.0.0.1]
Apr 28 11:36:10 ms1 postfix/cleanup[6050]: B0E8E4C882: message-id=<000001c66a78$4457eab0$0500000a@intra>
Apr 28 11:36:10 ms1 postfix/qmgr[6047]: B0E8E4C882: from=<Administrator@oter.intra>, size=62757, nrcpt=1 (queue active)
Apr 28 11:36:10 ms1 postfix/smtpd[6123]: disconnect from localhost.localdomain[127.0.0.1]
Apr 28 11:36:10 ms1 amavis[3747]: (03747-01) FWD via SMTP: <Administrator@oter.intra> -> <denis@mydomain.com>, 250 2.6.0 Ok, id=03747-01, from MTA([127.0.0.1]:10025): 250 Ok: queued as B0E8E4C882
Apr 28 11:36:10 ms1 postfix/lmtp[6129]: B0E8E4C882: to=<denis@mydomain.com>, relay=none, delay=0, status=deferred (connect to zimbraserver.mydomain.com[192.168.192.168]: Connection refused)
Apr 28 11:36:10 ms1 amavis[3747]: (03747-01) Passed CLEAN, LOCAL [127.0.0.1] [195.159.43.66] <Administrator@oter.intra> -> <denis@mydomain.com>, Message-ID: <000001c66a78$4457eab0$0500000a@intra>, mail_id: WMTyU+PB-tpe, Hits: 1.205, 1286 ms
Apr 28 11:36:10 ms1 postfix/smtp[6065]: 6EFEA4C881: to=<denis@mydomain.com>, relay=127.0.0.1[127.0.0.1], delay=-735, status=sent (250 2.6.0 Ok, id=03747-01, from MTA([127.0.0.1]:10025): 250 Ok: queued as B0E8E4C882)
Apr 28 11:36:10 ms1 postfix/qmgr[6047]: 6EFEA4C881: removed
Apr 28 11:36:10 ms1 amavis[3747]: (03747-01) extra modules loaded: Net/LDAP/Bind.pm

Note: the 192.168.192.168 address is not the real address I use.

I am a bit puzzled by this, is there a port I didn't open, something I have overlooked? This log snipped was after I altered the servers /etc/hosts file adding :

Code:

127.0.0.1 localhost localhost.localdomain zimbraserver zimbraserver.mydomain.com

But even without this (and the server has a correct IP in DNS) it produces the exact same problem and messages..

Any help, insight in what could be wrong would be highly appreciated!

Regards

[cutigersfan]

In the admin console, try unchecking the "Use DNS" box on the MTA tab. I had some success with this.

[denisb]

Thanks for the suggestion, changing this alters the error message from "connection refused ms1.startsiden.no" to "connection refused 127.0.0.1".

There seems to be some port or some setting prohibiting the lmtp delivery to work properly? I have checked the zmcontrol status and all services are running properly..

Additional info is a listing of netstat -i :

Code:

tcp        0      0 *:ldap                      *:*                         LISTEN
tcp        0      0 localhost.localdomain:10024 *:*                         LISTEN
tcp        0      0 localhost.localdomain:10025 *:*                         LISTEN
tcp        0      0 localhost.localdomain:7306  *:*                         LISTEN
tcp        0      0 localhost.localdomain:7307  *:*                         LISTEN
tcp        0      0 *:3310                      *:*                         LISTEN
tcp        0      0 *:smtp                      *:*                         LISTEN
tcp        0      0 *:ldaps                     *:*                         LISTEN
tcp        0      0 *:imaps                     *:*                         LISTEN
tcp        0      0 *:pop3s                     *:*                         LISTEN
tcp        0      0 *:7780                      *:*                         LISTEN
tcp        0      0 localhost.localdomain:8005  *:*                         LISTEN
tcp        0      0 *:pop3                      *:*                         LISTEN
tcp        0      0 *:imap                      *:*                         LISTEN
tcp        0      0 *:http                      *:*                         LISTEN
tcp        0      0 *:7025                      *:*                         LISTEN
tcp        0      0 *:ssh                       *:*                         LISTEN
tcp        0      0 *:7071                      *:*                         LISTEN
udp        0      0 *:34645                     *:*
udp        0      0 *:34646                     *:*

Also, I did check with telnet that ports 10025 7025 and 25 are all actually available from the box. They do answer and seem to work as far as I can see.

[KevinH]

Try adding a 7025 anywhere/anywhere rule.

Code:

ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:7025

[denisb]

Kevin; thanks for your help, but this did not do anything. Still "connection refused".

Is there any place I can turn on more debugging info in the logs or anything?

[denisb]

From the previous netstat -l :

Code:

tcp        0      0 localhost.localdomain:10024 *:*                         LISTEN
tcp        0      0 localhost.localdomain:10025 *:*                         LISTEN
tcp        0      0 localhost.localdomain:7306  *:*                         LISTEN
tcp        0      0 localhost.localdomain:7307  *:*                         LISTEN

Is this correct? Should the 10025 only bind to localhost ?
Port 7025 is reachable both on the localhost and the public address, tested with telnet.

I am a bit desperate to fix this issue as my progress with the new mailserver rollout is halted completely now. Any help would be extremely valuable

[denisb]

Quote:

Originally Posted by cutigersfan

In the admin console, try unchecking the "Use DNS" box on the MTA tab. I had some success with this.

Just to let anyone reading this know that unchecking this box borked external mail delivery (to other SMTP servers) pretty much completely. I am not sure what this setting is for, but if you plan to use the server as a relayhost for internet mail, don't uncheck this box.

[phoenix]

Assuming that your DNS is correct, have you got any firewall or SElinux that might be blocking this server?

[denisb]

No central firewall, the only thing would be the Iptables setup which I outlined above.

I also (to debug) moved all the iptables rules covering the Zimbra internal ports to accept any source address, so the current ruleset is like this:

Code:

target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere            icmp any
ACCEPT     ipv6-crypt--  anywhere             anywhere
ACCEPT     ipv6-auth--  anywhere             anywhere
ACCEPT     udp  --  anywhere             224.0.0.251         udp dpt:5353
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ipp
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  --  office.mycompany.com anywhere            state NEW tcp dpt:smtp
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:7025
ACCEPT     tcp  --  zimbraserver.mydomain.com    anywhere            state NEW tcp dpt:smtp
ACCEPT     tcp  --  localhost.localdomain  anywhere            state NEW tcp dpt:smtp
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:7025
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ldap
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:10024
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:10025
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:7306
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:7307
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:3310
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:7780
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:8005
REJECT     tcp  --  anywhere             anywhere            state NEW tcp dpt:smtp reject-with icmp-port-unreachable
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:7071
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ldaps
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:smtp
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:imap
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:imaps
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:imaps
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:99
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

And as I said, I tried telnet to the relevant ports, both on the public and localhost addresses. It works.

SELinux is set to :
SELINUX=permissive
SELINUXTYPE=targeted

Which should mean (AFAIK) that it does never "block" anything, only warns.

[phoenix]

Yes, those settings are supposed to be 'warn' and not interfere with thing but have you tried with SElinux disabled - just to see if it is the problem?

Just an additional question on the hosts file you have at the beginning of this thread, why don't you have an entry for the IP address (in addition to 127.0.0.1) & FQDN of your zimbra server? I was under the impression it was necessary.